FreeKB - Ansible Copy an ansible vault encrypted file to managed nodes
Ansible - Copy an ansible vault encrypted file to managed nodes

Generally speaking, when you have sensitive data that needs to be encrypted, there are two main approaches.

  1. Store the encrypted data in a variable
  2. Copy the encrypted file to each managed node

By and far, option 1 is definitely preferred. However, if for some reason option 1 is not feasible, this article describes how to copy an encrypted file to each managed node.

Let's say you used the ansible-vault create command to create a file named passwords.yml that contains sensitive data, perhaps something like this.

test_password: itsasecret
prod_password: hGn4!kD98A


Attempting to view the passwords.yml file using the cat command will display something like this. The ansible-vault view command can be used to view the content of the passwords.yml file.



Here is an example of how passwords.yml could be used with the copy module.

- hosts: all
    - name: copy passwords.yml to the /usr/local/secure directory
        src: passwords.yml
        dest: /usr/local/secure/passwords.yml
        owner: root
        group: root
        mode: 0600


Let's say you issue the ansible-playbook command like this.

ansible-playbook foo.yml


The following should be returned.

TASK [copy passwords.yml to the /usr/local/secure directory] 
fatal: []: FAILED! => {"msg": "A vault password or secret must be specified to decrypt passwords.yml"}


Let's append the password that was used to encrypt passwords.yml to a file such as .vault_password.txt.

echo "itsasecret" > .vault_password.txt


And then update .vault_password.txt so that only the owner of the .vault_password.txt file can read and write to the .vault_password.txt file.

chmod 0600 .vault_password.txt


The  --vault-password-file command line option can then be included on the command line.

ansible-playbook foo.yml --vault-password-file .vault_password.txt


On each managed node that passwords.yml was copied to, the /usr/local/secure/passwords.yml file will be unencrypted, so that the /usr/local/secure/passwords.yml file contains the following.

test_password: itsasecret
prod_password: hGn4!kD98A


Add a Comment

We will never share your name or email with anyone. Enter your email if you would like to be notified when we respond to your comment.

Please enter 0df85 in the box below so that we can be sure you are a human.


Web design by yours truely - me, myself, and I   |   |